Network users frequently have to submit multiple passwords for the various services they use, such as email, web browsing and intranets, and servers on the network. Maintaining multiple passwords, and constantly being prompted to enter these passwords, is a hassle for users and administrators. Single sign-on is a configuration which allows administrators to create a single password store so that users can log in once, using a single password, and be authenticated against all network resources. For example, a system supporting single sign-on may be used for several resources, including logging into workstation and unlocking screen savers, accessing encrypted web pages using Mozilla Firefox, and sending encrypted email using Mozilla Thunderbird. Single sign-on is both a convenience to users and another layer of security for the server and the network. Single sign-on hinges on secure and effective authentication. The authentication may be managed by a public key infrastructure (PKI), such as implemented by a certificate system.
One of the cornerstones of establishing a secure network environment is making sure that access is restricted to people who have the right to access the network. This access is allowed when the user can authenticate to the system, meaning the user can verify his identity. One method of verifying an identity is presenting a digital signature or a digital certificate. A digital signature is a mathematical representation of a message, using public key cryptography, which identifies the originator of the message, in a non-forgeable manner. Public key cryptography requires the use of two mathematically related keys—a public key and a private key (collectively referred to as a key pair). The private key is kept private by a single owner, and is not distributed to anyone else. The owner uses his or her private key, in conjunction with cryptographic algorithms, to digitally sign a message. The public key is made public, and can be used by anyone to verify the digital signature on a message. The fact that these two keys are mathematically related ensures that only a single private key can generate a digital signature that is verifiable by the corresponding public key, making the digital signature unforgeable. A digital certificate, commonly referred to as a certificate, is an electronic document used to identify an individual, a server, a company, or another type of entity and to associate that identity with a public key. The digital certificate binds a person's identity to his or her public key, and consequently, to his or her private key, and may be used to verify digital signatures. Digital certificates and digital signatures then provide the foundation for secure transactions over a network, such as the Internet.
These certificates can be stored on tokens, also referred to as smart cards, smart card tokens, security tokens, hardware tokens, USB tokens, cryptographic tokens, key fobs, or the like. The token may be a physical device that an authorized user of computer services is given to ease authentication. Tokens can store a certificate that is used for authenticating the identity of the owner. For example, when a user inserts a smart card into a system, the smart card presents the certificates to the system and identifies the user so the user can be authenticated over the network.
Certificate authorities (CAs) validate identities and issue certificates. CAs can be either independent third parties or organizations running their own certificate-issuing server software, such as a certificate system. Before issuing a certificate, a CA must confirm the user's identity with its standard verification procedures. The certificate issued by the CA binds a particular public key to the name of the entity identified by the certificate. In addition to the public key, the certificates include the name of the entity it identifies, an expiration date, and the name of the CA that issued the certificate. Since certificates have an expiration date, such as, for example, 2-3 years, certificates need to be renewed to avoid expiration. Thus, certificates stored on tokens need to be renewed.
Conventional certificate systems require re-enrollment of tokens to renew the certificates stored on the token. The re-enrollment of the token would allow a formatted token to be re-formatted with new certificates. The re-enrollment of the token, however, requires the generation of a new key pair for the new certificates.